From fd3c1e8537da893dcf791b0770a9ca97f833d406 Mon Sep 17 00:00:00 2001 From: asyncnomi Date: Sat, 2 Aug 2025 19:46:25 +0200 Subject: [PATCH] remove unnecessary auth, and automate slave<->master first synchronisation --- secrets/db/repli.age | 15 -------- secrets/secrets.nix | 4 -- shared/db/postgres.nix | 84 +++++++++++++++++++++++------------------- 3 files changed, 46 insertions(+), 57 deletions(-) delete mode 100644 secrets/db/repli.age diff --git a/secrets/db/repli.age b/secrets/db/repli.age deleted file mode 100644 index 89bef05..0000000 --- a/secrets/db/repli.age +++ /dev/null @@ -1,15 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 Zvjaow yrEEH8XmRgAE3GsrJLEj+31AeycI4pzJOPf3Wn/0A2A -hHL1NrHQp7Wiz0OfJocS0k5FMbNdDP6/MiE41np6Gz8 --> ssh-ed25519 ffQbjQ HuC2HMqEhyDzAoqQ8CJLlaC4MURaveqmZmgPey3oqic -7HKDbHBLKOmaE5TfCeAxlIZiL9nbXi7SLbjTE1V8X7s --> ssh-ed25519 Ecp4NA g69mK84+q4o5FeTNgpx0mQci4YUMiopDm4deUlAGIk4 -dxZ23+1xVSCj0qzb/Yk0AqFVSWQ3hq5/O7caBR/KO5I --> ssh-ed25519 vHebMw 69vZK4gSyRFcDrOzH1K6MzIaYCcptitS5MsQZJGwWQg -svezfzc1nflR4luSz5LdKyB7qMPABwzYKeM/RMll7Jk --> ssh-ed25519 um7xWA /e8k7zbKQA7Eh2y6k3SgqoLXiTWdmEjVNFQS0lulqT4 -aNovNzQ518/AhDYRk/w2C0fjBh+vk3TRB0+ekRH0oks --> ssh-ed25519 oRtTqQ 3T+jsCs91kDuUlOWdtDJ0mcTLnmfirsGNCX3NmJXiXk -b1anF0O9x0UGY3Swxnw2/8I/RQeN6qun0psyvbBrDLg ---- JqYMhTAVP9q3Ca8p96YVIAVSdYoc89mqx/lbRwgTgtY -쳩’ñ€k_3_l¹4¯»eú•ú··!pž»ÖœúŒMÄqÌès¼ËÖp'¬¹¯jð||n¼“KàÔÃf!™yn›éu×TƒÛ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2656cf5..90c7ecb 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -109,8 +109,4 @@ in "mail/dkim.age".publicKeys = system-mail ++ users; "mail/mbox/test.age".publicKeys = system-mail ++ users; - - # DB secrets - - "db/repli.age".publicKeys = system-db ++ users; } \ No newline at end of file diff --git a/shared/db/postgres.nix b/shared/db/postgres.nix index 66847c4..db30377 100644 --- a/shared/db/postgres.nix +++ b/shared/db/postgres.nix @@ -1,11 +1,3 @@ -## Note: This file wont setup the replication by itself -## Once deploy follow those instruction to run the streaming replication -## Execute on each slave (replace major version an ip addr accordingly): -# 1. sudo systemctl stop postgresql.service -# 2. sudo rm -r /var/lib/postgresql/17 -# 3. pg_basebackup -h 172.19.1.2 -U replication -p 5432 -D /var/lib/postgresql/17 -P -Xs -# 4. sudo systemctl restart postgresql.service - { config, pkgs, lib, ... }: let @@ -23,16 +15,6 @@ let masterIP = "172.19.${toString masterNode.zone}.${toString masterNode.id}"; in { - age.secrets."repli" = { - file = ./../../secrets/db/repli.age; - owner = "postgres"; - group = "postgres"; - }; - - systemd.services.postgresql.environment = lib.mkIf (builtins.elem myName mapping.db.slaves) { - # Currently unused cause pwd is mannually set during basebackup - PGPASSFILE = "${config.age.secrets.repli.path}"; - }; services.postgresql = { enable = true; # Force postgres package major version @@ -43,16 +25,19 @@ in superuser_map root postgres superuser_map postgres postgres ''; + # Replication tasks are not authenticated + # The wireguard mesh cryptographically + # ensures the sender is who we expect. authentication = lib.mkForce (builtins.concatStringsSep "\n" (['' #type database DBuser auth-method optional_ident_map local all all peer map=superuser_map ''] ++ lib.optionals (myName == mapping.db.master) (map (slaveName: let slaveNode = nodes.${slaveName}; in - "host replication replication 172.19.${toString slaveNode.zone}.${toString slaveNode.id}/32 md5" + "host replication replication 172.19.${toString slaveNode.zone}.${toString slaveNode.id}/32 trust" ) mapping.db.slaves) ++ lib.optionals (builtins.elem myName mapping.db.slaves) [ - "host replication replication ${masterIP}/32 md5" + "host replication replication ${masterIP}/32 trust" ])); ensureUsers = lib.mkIf (myName == mapping.db.master) [{ name = "replication"; @@ -65,30 +50,53 @@ in log_statement = "none"; logging_collector = true; log_disconnections = true; - } // lib.optionalAttrs (myName == mapping.db.master) { - wal_level = "logical"; - wal_sender_timeout = "60s"; max_wal_senders = 16; + wal_level = "logical"; + } // lib.optionalAttrs (myName == mapping.db.master) { + wal_sender_timeout = "60s"; wal_keep_size = 1000; # In MB } // lib.optionalAttrs (builtins.elem myName mapping.db.slaves) { - wal_level = "logical"; wal_receiver_timeout = "60s"; - max_wal_senders = 16; - # Should be override by postgreqql.auto.conf generated by pg_basebackup - primary_conninfo = "host=${masterIP} port=5432 user=replication"; hot_standby = "on"; + primary_conninfo = "host=${masterIP} port=5432 user=replication"; }; }; - # The password looks like: "*:*:*:*:" - # Cf: https://www.postgresql.org/docs/current/libpq-pgpass.html - systemd.services.postgresql.postStart = lib.mkIf (myName == mapping.db.master) '' - $PSQL -tA <<'EOF' - DO $$ - DECLARE password TEXT; - BEGIN - password := trim(both from split_part(replace(pg_read_file('${config.age.secrets.repli.path}'), E'\n', '''), ':', 5)); - EXECUTE format('ALTER USER replication WITH PASSWORD '''%s''';', password); - END $$; - EOF + # This preStart script sync the slaves to the master + # systemd.services..preStart has a mergeable type + systemd.services.postgresql.preStart = lib.mkIf (builtins.elem myName mapping.db.slaves) '' + if test -e ${cfg.dataDir}/.first_startup; then + echo "Setting up PostgreSQL slave replication..." + + # This is a sl that's defined by the default preStart script + # We need an empty dataDir for the pg_basebackup + # And there is no easy ways that I'm aware of + # to get the hash of that file without recomputing it + PSQL_CONF_PATH="${cfg.dataDir}/postgresql.conf" + PSQL_CONF_TARGET=$(readlink "$PSQL_CONF_PATH") + + # Remove data dir + if [ -d "${cfg.dataDir}" ]; then + echo "Deleting postgres data dir: ${cfg.dataDir}" + rm -rf "${cfg.dataDir}" + fi + + # Perform base backup from master + echo "Starting base backup from master: ${masterIP}" + ${cfg.package}/bin/pg_basebackup \ + -h "${masterIP}" \ + -U replication \ + -p ${toString cfg.settings.port} \ + -D "${cfg.dataDir}" \ + -P \ + -Xs \ + -R + + # Symlink back the psql configFile + ln -sf "$PSQL_CONF_TARGET" "$PSQL_CONF_PATH" + + echo "PostgreSQL slave setup completed successfully" + else + echo "PostgreSQL standby already configured (standby.signal exists), skipping base backup" + fi ''; } \ No newline at end of file